feat: support for clientIdPrefix for HAIP support in presentation flow

[RinkalBhojani]

Added support for clientIdPrefix to align with HAIP in presentation flow

Summary by CodeRabbit

• New Features

  • Added configurable client ID prefix options for X.509 signers (DNS or hash).
  • Intent-based verification now requires an explicit response mode and accepts an optional structured request signer.

• Refactor

  • Request signer moved to a nested, composed object for clearer API surface and extended signer metadata propagation.
  • Signer method typing tightened for stronger validation.

[coderabbitai]

📝 Walkthrough

Walkthrough

Consolidates signer configuration into a new RequestSigner DTO/interface, adds a ClientIdPrefix enum, and updates DTOs, controller, and services to accept and propagate requestSigner (including optional clientIdPrefix) instead of a simple signerOption. Minor validation and API property updates applied.

Changes

Cohort / File(s)	Summary
API Gateway DTOs apps/api-gateway/src/oid4vc-verification/dtos/create-intent-based-verification.dto.ts, apps/api-gateway/src/oid4vc-verification/dtos/oid4vc-verifier-presentation.dto.ts	Added intent: string and responseMode: ResponseMode fields; introduced/consumed RequestSignerDto with method and optional clientIdPrefix; moved nested validation and ApiProperty metadata accordingly.
Verification Service (api-gateway) apps/api-gateway/src/oid4vc-verification/oid4vc-verification.service.ts	Stop deriving a separate signerOption; include requestSigner directly in payload for createIntentBasedVerificationPresentation.
Verification Controller apps/oid4vc-verification/src/oid4vc-verification.controller.ts	Controller payload/signature changed to accept requestSigner: IRequestSigner (replaced signerOption); destructuring and service call updated to pass requestSigner.
Verification Service (backend) apps/oid4vc-verification/src/oid4vc-verification.service.ts	Method signatures updated to accept requestSigner: IRequestSigner; derive local signerOption = requestSigner?.method; propagate clientIdPrefix into X5C signer construction and resolved signer objects.
Shared Interfaces libs/common/src/interfaces/oid4vp-verification.ts, apps/oid4vc-verification/interfaces/oid4vp-verification-sessions.interfaces.ts	IRequestSigner.method typed to SignerOption; added optional clientIdPrefix?: ClientIdPrefix to IRequestSigner and X5cSigner.
Enums libs/enum/src/enum.ts	Added ClientIdPrefix enum with X509SanDns and X509Hash members.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• feat: OID4VC, OID4VP and X509 capabilities - experimental feature #1517 — Overlaps OID4VC/OID4VP/X509 changes including requestSigner, IRequestSigner, and clientIdPrefix propagation.
• Feat/oid4vc verification template #1534 — Touches verification intent flow and DTO/service signatures for create-intent-based-verification.
• feat: verification webhook #1507 — Modifies signer-related types/usages and verification DTOs similar to this PR.

Suggested labels

feature

Suggested reviewers

• tipusinghaw
• GHkrishna

Poem

🐰 I hopped through DTOs, tidy and bright,
Carried signer bits with a soft little bite,
ClientIdPrefix tucked in my paw for the day,
Nested requestSigner now leads the way,
Hooray for safer types — hop, hop, hooray! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding clientIdPrefix support for HAIP in the presentation flow, which is reflected throughout the changeset with enum additions, interface updates, and implementation changes across multiple files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/oid4vp-notification

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

apps/api-gateway/src/oid4vc-verification/dtos/oid4vc-verifier-presentation.dto.ts (1)

2-16: Duplicate imports from @nestjs/swagger and class-validator.

@nestjs/swagger is imported on both lines 2 and 5; class-validator is imported on both lines 3 and 6–16. Consider consolidating each into a single import statement for clarity.

Proposed consolidation

-import { ApiHideProperty, ApiPropertyOptional } from '@nestjs/swagger';
-import { IsEnum, IsOptional, IsString, IsUrl } from 'class-validator';
 /* eslint-disable camelcase */
-import { ApiProperty } from '@nestjs/swagger';
-import {
-  IsArray,
-  IsBoolean,
-  IsDefined,
-  ValidateNested,
-  ValidatorConstraint,
-  ValidatorConstraintInterface,
-  ValidationArguments,
-  Validate,
-  Matches
-} from 'class-validator';
+import { ApiHideProperty, ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
+import {
+  IsArray,
+  IsBoolean,
+  IsDefined,
+  IsEnum,
+  IsOptional,
+  IsString,
+  IsUrl,
+  Matches,
+  Validate,
+  ValidateNested,
+  ValidatorConstraint,
+  ValidatorConstraintInterface,
+  ValidationArguments
+} from 'class-validator';

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In
`@apps/api-gateway/src/oid4vc-verification/dtos/oid4vc-verifier-presentation.dto.ts`:
- Around line 316-324: PresentationRequestDto currently declares requestSigner:
RequestSignerDto while using `@IsOptional`() and an ApiProperty description that
says "Optional", causing a type mismatch and Swagger marking it required; change
the TypeScript property to be optional (requestSigner?: RequestSignerDto) and
update the `@ApiProperty` metadata on requestSigner to explicitly set required:
false (keep `@IsOptional`(), `@ValidateNested`(), and `@Type`(() => RequestSignerDto)
as-is) so runtime validation, TS types, and Swagger docs all agree.
- Around line 303-314: In RequestSignerDto adjust the clientIdPrefix decorators:
remove the contradictory `@IsDefined`() so `@IsOptional`() can work as intended,
change `@ApiProperty`(...) to `@ApiPropertyOptional`(...) to reflect the optional
TypeScript field clientIdPrefix?, and update imports to include
ApiPropertyOptional (remove or stop using ApiProperty for that property).

🧹 Nitpick comments (1)

apps/oid4vc-verification/src/oid4vc-verification.service.ts (1)

254-279: Consider extracting a shared helper to build X5C signer objects.

The X5C signer construction at Lines 254–259 (X509_P256) and Lines 274–279 (X509_ED25519) are nearly identical, differing only in the key type passed to getCurrentActiveCertificate. The intent-based method (Lines 365–385) already consolidates this into a single branch with a ternary. Applying the same pattern here would reduce duplication.

Sketch of consolidated approach

-      if (sessionRequest.requestSigner.method === SignerOption.X509_P256) {
-        this.logger.debug('X5C based request signer method selected');
-        const activeCertificate = await this.oid4vpRepository.getCurrentActiveCertificate(orgId, x5cKeyType.P256);
-        // ... validation ...
-        requestSigner = {
-          method: SignerMethodOption.X5C,
-          x5c: [activeCertificate.certificateBase64],
-          keyId: activeCertificate.keyId,
-          clientIdPrefix: sessionRequest.requestSigner.clientIdPrefix
-        };
-      } else if (sessionRequest.requestSigner.method === SignerOption.X509_ED25519) {
-        this.logger.debug('X5C based request signer method selected');
-        const activeCertificate = await this.oid4vpRepository.getCurrentActiveCertificate(orgId, x5cKeyType.Ed25519);
-        // ... identical validation ...
-        requestSigner = {
-          method: SignerMethodOption.X5C,
-          x5c: [activeCertificate.certificateBase64],
-          keyId: activeCertificate.keyId,
-          clientIdPrefix: sessionRequest.requestSigner.clientIdPrefix
-        };
+      } else if (
+        sessionRequest.requestSigner.method === SignerOption.X509_P256 ||
+        sessionRequest.requestSigner.method === SignerOption.X509_ED25519
+      ) {
+        this.logger.debug('X5C based request signer method selected');
+        const keyType = sessionRequest.requestSigner.method === SignerOption.X509_P256
+          ? x5cKeyType.P256
+          : x5cKeyType.Ed25519;
+        const activeCertificate = await this.oid4vpRepository.getCurrentActiveCertificate(orgId, keyType);
+        // ... single validation block ...
+        requestSigner = {
+          method: SignerMethodOption.X5C,
+          x5c: [activeCertificate.certificateBase64],
+          keyId: activeCertificate.keyId,
+          clientIdPrefix: sessionRequest.requestSigner.clientIdPrefix
+        };

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[tipusinghaw]

LGTM